Insulin Pump Hacking: Sensationalism or Legitimate Threat?

Of course, the motive to do so would be strange, to say the least. But after episodes such as the Tylenol scare in the 1980s and widespread, seemingly pointless hacking episodes over the years, it doesn’t hurt for manufactures to be careful in protecting their customers.

Because of the attention this issue has been getting over the years, it wasn’t much of a surprise when Jay Radcliffe, gave a presentation at the Black Hat security conference held in Las Vegas, explaining that it was possible to hack insulin pumps. Radcliffe, a security researcher who is also diabetic, successfully hacked his own insulin pump. "On stage at the conference I remotely disabled the insulin pump," Radcliffe explains. "I am able to alter any configuration setting on the pump without the user of the device being notified as well." After he gave the presentation, Radcliffe later informed the AP of the story.

Although this isn't the first time that the issue of hacking has been raised in a medical device context, it did get more attention than it has in years' past—garnering notice from diabetics with insulin pumps (and others) who happen to be bloggers. And from others. Some of the comments that stood out include the following (I don't necessarily endorse the content of these sources):

In the past, when hacking of medical devices was discussed, the context was generally something along the lines of “it’s a remote possibility, but it’s still something to consider and to work towards preventing.” That was the context of the Technology Review’s coverage back in 2009: 

That quote neatly sums out both sides of the issue: It's a problem worthy of consideration, but not something people with insulin pumps (or other life-preserving devices) should waste much time worrying about.

A PR director from Medtronic’s insulin pump subsidiary MiniMed Inc. wrote the following on diabetes social media site TuDiabetes.org: “To our knowledge, there has never been a single reported incident outside of controlled laboratory experiments in more than 30 years of device telemetry use, which includes millions of devices worldwide.”

The drive behind it was to convince manufacturers of insulin pumps to consider the topic. As Radcliffe explains on Six Until Me: 

So, I'm left wondering, how successful can a tactic like this be—describing a problem like this at a hacking conference? If Radcliffe's target audience was device manufacturers, is there a better way to get their attention? Radcliffe spoke to this point by acknowledging that some diabetic bloggers are critical of his actions because the fear generated by this publicity could result in an increase in time FDA takes to approve devices. 

But Radcliffe's aim here is to simply bring attention to the issue. "Fifteen years ago, when we did research on vulnerabilities in computer networks, we were ignored," he says. "They said that the risks were too small, and the 'Internet' was only used for universities sharing scientific research data. It's now the backbone of the economy handling almost all of our financial data transactions and commerce," he adds. "While there is very little risk to the individual insulin pump user, the fact we have insecure embedded computers responsible for critical health functions should give pause to everyone involved. We hold banks responsible for security of a $10 online purchase, but we'll give medical device makers a free pass on not securing the devices responsible for our health or even our lives?  When we spend upwards of $6000 for a medical device I think we deserve to have that device be secure."

—Brian Buntz

Note: This blog post was edited after it was initally posted. Quotes from Jay Radcliffe were added and an inaccuracy regarding his hacking of the insulin pump was corrected.